/// <summary> /// Configures keys to be encrypted to a given certificate before being persisted to storage. /// </summary> /// <param name="builder">The <see cref="IDataProtectionBuilder"/>.</param> /// <param name="thumbprint">The thumbprint of the certificate to use when encrypting keys.</param> /// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns> public static IDataProtectionBuilder ProtectKeysWithCertificate(this IDataProtectionBuilder builder, string thumbprint) { if (builder == null) { throw new ArgumentNullException(nameof(builder)); } if (thumbprint == null) { throw new ArgumentNullException(nameof(thumbprint)); } // Make sure the thumbprint corresponds to a valid certificate. if (new CertificateResolver().ResolveCertificate(thumbprint) == null) { throw Error.CertificateXmlEncryptor_CertificateNotFound(thumbprint); } var services = builder.Services; // ICertificateResolver is necessary for this type to work correctly, so register it // if it doesn't already exist. services.TryAdd(DataProtectionServiceDescriptors.ICertificateResolver_Default()); Use(services, DataProtectionServiceDescriptors.IXmlEncryptor_Certificate(thumbprint)); return(builder); }
/// <summary> /// Configures keys to be encrypted with Windows CNG DPAPI before being persisted to storage. /// </summary> /// <param name="protectionDescriptorRule">The descriptor rule string with which to protect the key material.</param> /// <param name="flags">Flags that should be passed to the call to 'NCryptCreateProtectionDescriptor'. /// The default value of this parameter is <see cref="DpapiNGProtectionDescriptorFlags.None"/>.</param> /// <returns>The 'this' instance.</returns> /// <remarks> /// See https://msdn.microsoft.com/en-us/library/windows/desktop/hh769091(v=vs.85).aspx /// and https://msdn.microsoft.com/en-us/library/windows/desktop/hh706800(v=vs.85).aspx /// for more information on valid values for the the <paramref name="descriptor"/> /// and <paramref name="flags"/> arguments. /// This API is only supported on Windows 8 / Windows Server 2012 and higher. /// </remarks> public DataProtectionConfiguration ProtectKeysWithDpapiNG(string protectionDescriptorRule, DpapiNGProtectionDescriptorFlags flags) { if (protectionDescriptorRule == null) { throw new ArgumentNullException(nameof(protectionDescriptorRule)); } Use(DataProtectionServiceDescriptors.IXmlEncryptor_DpapiNG(protectionDescriptorRule, flags)); return(this); }
/// <summary> /// Configures keys to be encrypted to a given certificate before being persisted to storage. /// </summary> /// <param name="certificate">The certificate to use when encrypting keys.</param> /// <returns>The 'this' instance.</returns> public DataProtectionConfiguration ProtectKeysWithCertificate(X509Certificate2 certificate) { if (certificate == null) { throw new ArgumentNullException(nameof(certificate)); } Use(DataProtectionServiceDescriptors.IXmlEncryptor_Certificate(certificate)); return(this); }
/// <summary> /// Configures the data protection system to persist keys to the Windows registry. /// </summary> /// <param name="registryKey">The location in the registry where keys should be stored.</param> /// <returns>The 'this' instance.</returns> public DataProtectionConfiguration PersistKeysToRegistry(RegistryKey registryKey) { if (registryKey == null) { throw new ArgumentNullException(nameof(registryKey)); } Use(DataProtectionServiceDescriptors.IXmlRepository_Registry(registryKey)); return(this); }
/// <summary> /// Configures the data protection system to persist keys to the specified directory. /// This path may be on the local machine or may point to a UNC share. /// </summary> /// <param name="directory">The directory in which to store keys.</param> /// <returns>The 'this' instance.</returns> public DataProtectionConfiguration PersistKeysToFileSystem(DirectoryInfo directory) { if (directory == null) { throw new ArgumentNullException(nameof(directory)); } Use(DataProtectionServiceDescriptors.IXmlRepository_FileSystem(directory)); return(this); }
/// <summary> /// Configures the data protection system to use the <see cref="EphemeralDataProtectionProvider"/> /// for data protection services. /// </summary> /// <param name="builder">The <see cref="IDataProtectionBuilder"/>.</param> /// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns> /// <remarks> /// If this option is used, payloads protected by the data protection system will /// be permanently undecipherable after the application exits. /// </remarks> public static IDataProtectionBuilder UseEphemeralDataProtectionProvider(this IDataProtectionBuilder builder) { if (builder == null) { throw new ArgumentNullException(nameof(builder)); } Use(builder.Services, DataProtectionServiceDescriptors.IDataProtectionProvider_Ephemeral()); return(builder); }
/// <summary> /// Configures keys to be encrypted with Windows DPAPI before being persisted to /// storage. /// </summary> /// <param name="builder">The <see cref="IDataProtectionBuilder"/>.</param> /// <param name="protectToLocalMachine">'true' if the key should be decryptable by any /// use on the local machine, 'false' if the key should only be decryptable by the current /// Windows user account.</param> /// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns> /// <remarks> /// This API is only supported on Windows platforms. /// </remarks> public static IDataProtectionBuilder ProtectKeysWithDpapi(this IDataProtectionBuilder builder, bool protectToLocalMachine) { if (builder == null) { throw new ArgumentNullException(nameof(builder)); } Use(builder.Services, DataProtectionServiceDescriptors.IXmlEncryptor_Dpapi(protectToLocalMachine)); return(builder); }
/// <summary> /// Configures keys to be encrypted with Windows CNG DPAPI before being persisted to storage. /// </summary> /// <param name="builder">The <see cref="IDataProtectionBuilder"/>.</param> /// <param name="protectionDescriptorRule">The descriptor rule string with which to protect the key material.</param> /// <param name="flags">Flags that should be passed to the call to 'NCryptCreateProtectionDescriptor'. /// The default value of this parameter is <see cref="DpapiNGProtectionDescriptorFlags.None"/>.</param> /// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns> /// <remarks> /// See https://msdn.microsoft.com/en-us/library/windows/desktop/hh769091(v=vs.85).aspx /// and https://msdn.microsoft.com/en-us/library/windows/desktop/hh706800(v=vs.85).aspx /// for more information on valid values for the the <paramref name="protectionDescriptorRule"/> /// and <paramref name="flags"/> arguments. /// This API is only supported on Windows 8 / Windows Server 2012 and higher. /// </remarks> public static IDataProtectionBuilder ProtectKeysWithDpapiNG(this IDataProtectionBuilder builder, string protectionDescriptorRule, DpapiNGProtectionDescriptorFlags flags) { if (builder == null) { throw new ArgumentNullException(nameof(builder)); } if (protectionDescriptorRule == null) { throw new ArgumentNullException(nameof(protectionDescriptorRule)); } Use(builder.Services, DataProtectionServiceDescriptors.IXmlEncryptor_DpapiNG(protectionDescriptorRule, flags)); return(builder); }
/// <summary> /// Configures keys to be encrypted to a given certificate before being persisted to storage. /// </summary> /// <param name="builder">The <see cref="IDataProtectionBuilder"/>.</param> /// <param name="certificate">The certificate to use when encrypting keys.</param> /// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns> public static IDataProtectionBuilder ProtectKeysWithCertificate(this IDataProtectionBuilder builder, X509Certificate2 certificate) { if (builder == null) { throw new ArgumentNullException(nameof(builder)); } if (certificate == null) { throw new ArgumentNullException(nameof(certificate)); } Use(builder.Services, DataProtectionServiceDescriptors.IXmlEncryptor_Certificate(certificate)); return(builder); }
/// <summary> /// Configures the data protection system to persist keys to the Windows registry. /// </summary> /// <param name="builder">The <see cref="IDataProtectionBuilder"/>.</param> /// <param name="registryKey">The location in the registry where keys should be stored.</param> /// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns> public static IDataProtectionBuilder PersistKeysToRegistry(this IDataProtectionBuilder builder, RegistryKey registryKey) { if (builder == null) { throw new ArgumentNullException(nameof(builder)); } if (registryKey == null) { throw new ArgumentNullException(nameof(registryKey)); } Use(builder.Services, DataProtectionServiceDescriptors.IXmlRepository_Registry(registryKey)); return(builder); }
/// <summary> /// Configures the data protection system to persist keys to the specified directory. /// This path may be on the local machine or may point to a UNC share. /// </summary> /// <param name="builder">The <see cref="IDataProtectionBuilder"/>.</param> /// <param name="directory">The directory in which to store keys.</param> /// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns> public static IDataProtectionBuilder PersistKeysToFileSystem(this IDataProtectionBuilder builder, DirectoryInfo directory) { if (builder == null) { throw new ArgumentNullException(nameof(builder)); } if (directory == null) { throw new ArgumentNullException(nameof(directory)); } Use(builder.Services, DataProtectionServiceDescriptors.IXmlRepository_FileSystem(directory)); return(builder); }
private IEnumerable <ServiceDescriptor> ResolvePolicyCore() { // Read the encryption options type: CNG-CBC, CNG-GCM, Managed IInternalAuthenticatedEncryptionSettings options = null; string encryptionType = (string)_policyRegKey.GetValue("EncryptionType"); if (String.Equals(encryptionType, "CNG-CBC", StringComparison.OrdinalIgnoreCase)) { options = new CngCbcAuthenticatedEncryptionSettings(); } else if (String.Equals(encryptionType, "CNG-GCM", StringComparison.OrdinalIgnoreCase)) { options = new CngGcmAuthenticatedEncryptionSettings(); } else if (String.Equals(encryptionType, "Managed", StringComparison.OrdinalIgnoreCase)) { options = new ManagedAuthenticatedEncryptionSettings(); } else if (!String.IsNullOrEmpty(encryptionType)) { throw CryptoUtil.Fail("Unrecognized EncryptionType: " + encryptionType); } if (options != null) { PopulateOptions(options, _policyRegKey); yield return(DataProtectionServiceDescriptors.IAuthenticatedEncryptorConfiguration_FromSettings(options)); } // Read ancillary data int?defaultKeyLifetime = (int?)_policyRegKey.GetValue("DefaultKeyLifetime"); if (defaultKeyLifetime.HasValue) { yield return(DataProtectionServiceDescriptors.ConfigureOptions_DefaultKeyLifetime(defaultKeyLifetime.Value)); } var keyEscrowSinks = ReadKeyEscrowSinks(_policyRegKey); foreach (var keyEscrowSink in keyEscrowSinks) { yield return(DataProtectionServiceDescriptors.IKeyEscrowSink_FromTypeName(keyEscrowSink)); } }
/// <summary> /// Configures the data protection system to use the <see cref="EphemeralDataProtectionProvider"/> /// for data protection services. /// </summary> /// <returns>The 'this' instance.</returns> /// <remarks> /// If this option is used, payloads protected by the data protection system will /// be permanently undecipherable after the application exits. /// </remarks> public DataProtectionConfiguration UseEphemeralDataProtectionProvider() { Use(DataProtectionServiceDescriptors.IDataProtectionProvider_Ephemeral()); return(this); }
private DataProtectionConfiguration UseCryptographicAlgorithmsCore(IInternalAuthenticatedEncryptionOptions options) { options.Validate(); // perform self-test Use(DataProtectionServiceDescriptors.IAuthenticatedEncryptorConfiguration_FromOptions(options)); return(this); }
/// <summary> /// Configures keys to be encrypted with Windows DPAPI before being persisted to /// storage. /// </summary> /// <param name="protectToLocalMachine">'true' if the key should be decryptable by any /// use on the local machine, 'false' if the key should only be decryptable by the current /// Windows user account.</param> /// <returns>The 'this' instance.</returns> /// <remarks> /// This API is only supported on Windows platforms. /// </remarks> public DataProtectionConfiguration ProtectKeysWithDpapi(bool protectToLocalMachine) { Use(DataProtectionServiceDescriptors.IXmlEncryptor_Dpapi(protectToLocalMachine)); return(this); }
private static IDataProtectionBuilder UseCryptographicAlgorithmsCore(IDataProtectionBuilder builder, IInternalAuthenticatedEncryptionSettings settings) { settings.Validate(); // perform self-test Use(builder.Services, DataProtectionServiceDescriptors.IAuthenticatedEncryptorConfiguration_FromSettings(settings)); return(builder); }